If you guys are out there you guys really need to use https instead of just http for your calls. It is not safe without it.

From someone who doesn't understand shit about how the web works. Could you please tell me why https would provide even a tiny shit of protection? The only thing I can see coming out of this is increased bandwidth usage and slower pages.

"Oh ho ho, you guys need https because it protects public Bitcoin addresses from being intercepted!"

He's right. The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks. Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

That being said we've always planned on adding it, we were just waiting to see if btc.to would get some real traction with users. At this point we feel it has and will be adding HTTPS as well as HSTS soon so no matter how you access it you'll always be protected using HTTPS. We'll also start publishing our entire DB shortly so that people can verify for themselves we aren't manipulating the shortened addresses.

He's right. The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks. Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

^^ Exactly

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

Bitcoin Core developer [PGP]Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

I performed a simple test on http://blockexplorer.com/q/getblockcount . The HTTP version took 0.24 seconds, while the HTTPS version took 1.00 second. (This is due mostly to the handshake: additional requests would take almost the same time.)

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

That's only for the first access. After that, the session can be cached. Also, there has been a lot of work (by Google, for example) in removing the extra roundtrip which is in newer browsers and webservers. See how fast gmail.com is *with* HTTPS?

It really is a non-issue these days. Just use HTTPS. If it's noticably slower you're using old broken software (either browser or webserver).

And even with a slight delay, the added security is worth it.

Bitcoin Core developer [PGP]Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.